Microsoft Internet Information Server Comes With Code That Allows Remote Users to Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1004008|
SecurityTracker URL: http://securitytracker.com/id/1004008
CVE-2002-0074, CVE-2002-0075, CVE-2002-0148
(Links to External Site)
Updated: Dec 3 2003|
Original Entry Date: Apr 10 2002
Disclosure of authentication information, Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 4.0, 5.0, 5.1|
Several cross-site scripting vulnerabilities were reported in Microsoft's Internet Information Server (IIS) web server. A remote user can conduct cross-site scripting attachks against other IIS site users to steal their cookies.|
A remote user can send a special request that contains a malicious script to a target (victim) user. When the URL is loaded by the target user's browser, the code will be executed by the browser. The code will appear to originate from the IIS-based web sites and, as a result, will run in the security context of the IIS-based web site. The code will be able to steal the target user's cookies and other personali information associated with that IIS-based web site.
According to the vendor, there are three vulnerable areas:
1) A search facility in IIS 5.0 and 5.1 only that allows IIS help files to be searched.
2) A redirect response (indicating that a requested web page has been moved to a new location) in IIS 4.0, 5.0, and 5.1 when used with a browser other than Internet Explorer.
3) Several error message pages in IIS 4.0 and 5.0.
A demonstration exploit is provided for the search engine flaw. To check your system enter the following in your search engine field :
If a box pops up showing your domain name you're vulnerable.
Microsoft has assigned this vulnerability a 'Moderate' severity level for Client Systems.
The vendor credits the following for reporting this information:
1) Joe Smith (firstname.lastname@example.org) and zenomorph (email@example.com) of http:// www.cgisecurity.com) for reporting the cross-site scripting vulnerability in the IIS Help File search facility.
2) Keigo Yamazaki of the LAC SNS Team (http://www.lac.co.jp/security/) for reporting the cross-site scripting vulnerability affecting redirect response messages.
3) Thor Larholm of Jubii A/S for reporting the cross-site scripting vulnerability affecting HTTP error pages.
A remote user can conduct a cross-site scripting atttack against other IIS users, stealing their cookies and other personal information associated with the IIS-based web site.|
The vendor has released a fix:|
For Microsoft IIS 4.0:
For Microsoft IIS 5.0:
For Microsoft IIS 5.1:
The IIS 4.0 patch can be installed on systems running Windows NT 4.0 SP6a. The IIS 5.0 patch can be installed on systems running Windows 2000 SP1 or SP2. The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold.
Microsoft notes that the IIS 5.0 fixes will be included in Windows 2000 SP3 and the IIS 5.1 fixes will be included in Windows XP SP1.
For IIS 4.0 and 5.0, this patch reportedly supersedes the one previously provided in Microsoft Security Bulletin MS01-044.
There is a very large list of 'caveats' associated with this patch. See the Vendor URL for the list.
The vendor will issue Microsoft Knowledge Base article Q319733 shortly, to be available on the Microsoft Online Support web site.
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-018.asp (Links to External Site)
Authentication error, Input validation error|
|Underlying OS: Windows (NT), Windows (2000), Windows (XP)|
Source Message Contents
Subject: Netware Web Search Engine, and Microsoft IIS Help File Search Facility|
This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset=us-ascii;
[ Cgi Security Advisory #9 ]
Netware Web Search Engine, and Microsoft IIS Help File Search Facility
Cross Site Scripting Holes
December 3rd 2001
Scripts Effected: Netware Web Search, IIS
Cost: I dunno but they ain't free :)
Web Search 2.0, 2.0.1
IIS 4.0 and 5.0
These products are affected by a Cross Site Scripting hole. This hole may allow
an attacker to trick a user into thinking something the attacker wrote
actually came from the site that is effected. This involves some social
engineering to a point but could possibly allow gathering of user information
and other types of fraud. The easiest way is to see if you're affected is to enter
If a box pops showing your domain name you're vulnerable.
The vendors where notified of the problem. Check the pages below
for patching/upgrade information.
Novell fix information:
"Yes, the fix can be found at support.novell.com downloads It is part
of the NetWare 6 sp1 update." - Novell
Microsoft fix information:
I swear these are my last Cross Site Scripting holes. I found the IIS
hole helping a friend with a pen test, and the novell hole 5 minutes
later. I only released this advisory because they are two large companies
that suffer the same problem, and I myself like to know if my software
has holes no matter how small they are.
Published to the Public April 2002
Copyright April 2002 Cgisecurity.com